And a little more good news: David “VideoMan” Bryan, global leader of technology at X-Force Red, is here to talk about the need for improved ATM security and how his team is prepared to help.

Good Timing for ATM Testing

According to Bryan, client requests for ATM testing are up 300 percent, which makes sense given the FBI’s recent warning about global ATM cash-out attacks. While the warning itself was part of a confidential alert that was shared with banks, Bryan suggests the likely impetus was an ATM breach that gave attackers unauthorized access to database information such as clients’ personal identification numbers (PINs).

A Dual Risk

Bryan explains that most ATMs have two major points of vulnerability: an embedded device (often a cash drawer) and the Windows machine running any ATM software. In one test, he compared two seemingly identical machines: One machine was highly secured and the other was vulnerable. The difference is that the first was properly patched. In another scenario, he found that the physical locking mechanism for computer systems was faulty, allowing full access to the hardware.

ATM Security Best Practices

How can financial companies protect their ATMs? It starts with patching. Keeping machines up to date is always the first line of defense.

Next, Bryan suggests reviewing ATM systems regularly. In one testing case, he found an ATM that was well-hardened but contained a zero-day vulnerability in its management hardware.

See X-Force Red in Action

When it comes to closing ATM loopholes, the newly announced X-Force Labs can help. IBM’s global testing facilities offer both the benefit of publicly available data — the team purchases Internet of Things (IoT) devices, tests them and releases its findings — and client-specific testing. Companies interested in leveraging X-Force expertise can request IoT, IIoT or OT testing.